An approach to Information Security for SMEs based on the Resource-Based View theory

The main focus of this proposal is to analyze implementation challenges, benefits and requirements in implementation of Information Systems and managing information security in small and medium size companies in Western Balkans countries. In relation to the study, the proposal will focus in the following questions to investigate: What are the benefits that companies mostly find after the implementation of Information Systems has been implemented, efficiency, how to they manage security of the information’s, competitive advantage, return of investments etc. The study should give a clear approach to Information Systems implementation, information security, maintenance, measurable benefits, challenges companies have gone through and a model how to approach Information Systems as a general guide utilizing best practices by the companies that are also supported by the available literature review. A very important place on the research will have also the Information security threats, security management measures and proposed alternatives for organizations to network vulnerabilities from malicious attacks. Since there are several security management frameworks which encompasses also the security management models, my research could be starting with an analyze of the security management, current situation and will end with a proposal for the new approach to information security

An approach to Information Security for SMEs based on the Resource-Based View theory

The main focus of this proposal is to analyze implementation challenges, benefits and requirements in implementation of Information Systems and managing information security in small and medium size companies in Western Balkans countries. In relation to the study, the proposal will focus in the following questions to investigate: What are the benefits that companies mostly find after the implementation of Information Systems has been implemented, efficiency, how to they manage security of the information’s, competitive advantage, return of investments etc. The study should give a clear approach to Information Systems implementation, information security, maintenance, measurable benefits, challenges companies have gone through and a model how to approach Information Systems as a general guide utilizing best practices by the companies that are also supported by the available literature review. A very important place on the research will have also the Information security threats, security management measures and proposed alternatives for organizations to network vulnerabilities from malicious attacks. Since there are several security management frameworks which encompasses also the security management models, my research could be starting with an analyze of the security management, current situation and will end with a proposal for the new approach to information security

An investigation of network security management methods

Network Management (NM) is concerned with reducing complexity and managing cost. The traditional NM tools and techniques are based on the Open System Interconnection (OSI) NM model. However, several drawbacks have been identified when managing a network using traditional NM tools (Sarkar & Verma, 2001). Network security is a major issue when managing a network. Even though the technology assists to reduce security risks, unless properly managed, the security measures may not do the job as expected. The State Model (SM) diagram is a new method, which may assists in managing the network. This new method may provide functionality not currently offered by current NM tools. Furthermore it may be possible to integrate the SM with NM tools. SM diagrams integrate relevant output from devices with protocol finite state information by means of tables. The diagrams are modular and hierarchical thereby providing top down decomposition by means of levelling. Furthermore, their modular, hierarchical characteristics allow technical detail to be introduced in an integrated and controlled manner. The State Model Diagrams were evaluated as a network management tool by twenty participants. The results clearly demonstrated that these diagrams could be of value not only as a NM tool but also as a tool for network security management

Towards an efficient vulnerability analysis methodology for better security risk management

2010 Summer.Includes bibliographical references.Risk management is a process that allows IT managers to balance between cost of the protective measures and gains in mission capability. A system administrator has to make a decision and choose an appropriate security plan that maximizes the resource utilization. However, making the decision is not a trivial task. Most organizations have tight budgets for IT security; therefore, the chosen plan must be reviewed as thoroughly as other management decisions. Unfortunately, even the best-practice security risk management frameworks do not provide adequate information for effective risk management. Vulnerability scanning and penetration testing that form the core of traditional risk management, identify only the set of system vulnerabilities. Given the complexity of today's network infrastructure, it is not enough to consider the presence or absence of vulnerabilities in isolation. Materializing a threat strongly requires the combination of multiple attacks using different vulnerabilities. Such a requirement is far beyond the capabilities of current day vulnerability scanners. Consequently, assessing the cost of an attack or cost of implementing appropriate security controls is possible only in a piecemeal manner. In this work, we develop and formalize new network vulnerability analysis model. The model encodes in a concise manner, the contributions of different security conditions that lead to system compromise. We extend the model with a systematic risk assessment methodology to support reasoning under uncertainty in an attempt to evaluate the vulnerability exploitation probability. We develop a cost model to quantify the potential loss and gain that can occur in a system if certain conditions are met (or protected). We also quantify the security control cost incurred to implement a set of security hardening measures. We propose solutions for the system administrator's decision problems covering the area of the risk analysis and risk mitigation analysis. Finally, we extend the vulnerability assessment model to the areas of intrusion detection and forensic investigation

Security Improvement of Unicast Management Frames In Ieee 802.11 Mac Layer

Wireless Local Area Network (WLAN) or IEEE 802.11, was formed in 1990 to exchange information by using radio frequency rather than wires. This standard transmits information by three types of frame: data frame, control frame, and management frame. To provide security for WLANs, different security protocols have been designed such as: wired equivalent privacy (WEP), wifi protected access (WPA), and the strongest one, IEEE 802.11i (WPA2). Unfortunately all of the mentioned protocols provide security only for data frame. Control and management frames are transmitted without any protection even in IEEE 802.11i. The lack of protection on management frames causes an intruder to launch different types of attack on the WLAN such as forgery, session hijacking, denial of service and man-in-the-middle attack, which can lead to expose the whole WLAN. To address the problem, this thesis proposes and evaluates a new per frame security model which is called Management Frame with Integrity and Authentication (MFIA) to authenticate transmitted management frames. The proposed model uses a secret key and a new random sequence number (RSN) to secure communication between devices in WLAN and to prevent intruder from exposing the WLAN. The proposed model checks the authentication of a sender and the integrity of the management frames. The proposed model has been evaluated by quantifying the probability of finding a proper RSN by intruder, probability of different current common attacks on management frames, and also required time for the specified attacks. The results show that MFIA provides a high security level for management frames in all IEEE 802.11 standards. Required times to launch the attacks, show that allocating the specified time by intruder is almost impossible in the proposed model so that makes the mentioned attacks impractical. Results also show the proposed model can prevent a variety of attacks on management frames

A socio-organizational approach to information systems security management in the context of internet banking

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.This thesis takes a social and organizational point of view for studying information systems security in the context of internet banking. While the internet provides opportunities for businesses to extend their public network infrastructure, reduce transaction costs, and sell a wide range of products and services worldwide, security threats impede the business. Although, a number of valuable information systems security approaches have been developed through the years they tend to offer narrow, technically oriented solutions and they ignore the social aspects of risks and the informal structures of organizations. To this end, there is an emphasis in the literature to adopt a socio-organizational approach to information systems security (ISs) management. This thesis is based on the assumption that information systems security in the context of internet banking can be efficiently investigated and understood through a systematic and comprehensive study of various social organizational aspects in the goal setting context. To this end, the thesis presents a novel approach to the management of information systems security based on the use of the performance pyramid model. Using previous research in the social organizational literature this work examines the interrelationship of trust, culture, and risk communication and their possible effect on the level of goal setting within the context of information systems security management with a focus on internet banking. It explores and discusses the process of goal setting in the context of risk management. Based on the proposed performance pyramid model this research identifies the determinants of trust, culture, and risk communication as well as the determinants of goal commitment at macro level. The thesis contributes to interpretive information systems research with the in-depth analysis and study of the social organizational concepts in a security management context and its grounding within an interpretive epistemology. It emphasises the importance and interrelationship between different socio-organizational aspects of goal setting theory and demonstrates the values of each aspect in the information systems security domain thus contributing to a rich insight in the particular empirical research context

Network Security Devices and Protocols Using State Model Diagrams

Network security is concerned with protecting sensitive information, limiting unauthorised access, and reinforcing network performance. An important factor in network security is encryption. Internet Security Protocol (IPSec) is the de facto open standard for encryption and replaces the older Cisco Encryption Technology (CET). Both encryption protocols are typically implemented and managed using the text based Command Line Interface (CLI). A graphical user interface (GUI) is available; however, it is not routinely used. Regardless of whether the CLI or GUI is used, both encryption suites are complex to implement and manage. State Model Diagrams (SMDs) were developed and successfully used as the pedagogical foundation of internetworking technologies. SMDs integrate pertinent output from devices and protocol finite state information. SMDs are modular and hierarchical models thereby providing top down deconstruction as a cascaded structure. In terms of ease of use, hyperlinks may be used to navigate between different state tables and diagrams. Moreover, as hierarchical model characteristics allow technical detail to be presented and integrated to assist in managing devices. In this paper, SMDs were used to evaluate CET and IPSec via experiments in order to determine their potential value as network management tool